Once an OAuth 2.0 Client receives an opaque Access Token from the Authorization Server, it can use it as a bearer token to request data from the Resource Server. The OAuth Standard does not define a format for the Access Token but https://tools.ietf.org/html/rfc7662#section-2.2 defines a Token Introspection endpoint that enables the Resource Server to request more information about the token (and validate it).
According to the specs, the only required field in the response of the introspection endpoint is a boolean named "active". So is it not mandatory for the Authorization Server to provide any information about the subject nor the client to whom the token was issued? Both is described as optional in the RFC. I know that a lot of OAuth 2.0 Authorization Server implementations use JWTs as Access Tokens and some of them add an "azp" claim (which is defined in the Open ID Connect spec) but this is not defined by the OAuth spec which means I cannot assume that all Authorization Server implement it that way. I wonder what other options a resource server has to know from which client the request originates from. Is this something that depends on the specific Authorization Server implementation? Are there any other approaches than the "azp" claim or the client_id field in the introspection response?
